Articles 15-22 of GDPR give data subjects eight rights over their personal data. Aforo provides the infrastructure to receive, route, fulfill, and audit those requests within the 72-hour Article 12 acknowledgement window. This page covers what each right means, how requests flow through the system, and the consent ledger that backs Article 7.
Access15Get a copy of all personal data the controller holds about youStorefront /privacy → Download my data (JSON + CSV)
Rectification16Correct inaccurate or incomplete personal dataStorefront profile editor + DSR queue manual handling
Erasure17Be forgotten — full deletion of personal dataStorefront /privacy → Delete my account → 30-day grace + cascade purge
Restriction18Limit how the controller can use the data without deleting itDSR queue → manual flag on customer record
Portability20Receive data in machine-readable format and transmit to another controllerStorefront /privacy → Export (JSON + CSV)
Objection21Object to processing based on legitimate interest or direct marketingStorefront /privacy → Withdraw consent (per-channel)
No automated decision-making22Not be subject to decisions based solely on automated processing with legal effectAforo has no automated decisioning today — N/A
Withdraw consent7(3)Revoke previously given consent for marketing, analytics, etc.Storefront /privacy → Notification preferences
Your end-customers self-serve through the storefront portal\'s /privacy page, (e.g. https://acme.storefront.aforo.ai/privacy), which surfaces three primary actions:
DOWNLOAD MY DATA
Generates a JSON + CSV bundle with profile, subscriptions, invoices, usage, consent history, and audit trail.
DELETE MY ACCOUNT
Requires typed-email confirmation, then a 30-day grace window with a cancel option, then a cascade purge across all systems.
NOTIFICATION PREFS
Toggle marketing emails, analytics, and transactional notifications. Every change is appended to the consent ledger.
Authentication on the portal
The portal requires the customer to be signed in, and Aforo identifies them from their authenticated session — a request can never impersonate another customer. Cross-customer probes return a 404.
Operator-side requests (email, postal mail, phone, regulator-forwarded) are filed manually into the queue at Aforo Product UI → Governance → Privacy Operations → Subject Requests. The page is the consolidated tabbed surface that replaced the standalone "Data Subject Requests" sidebar entry in May 2026 (RBAC: OWNER, ADMIN, BILLING_ADMIN). Each row carries a 72h SLA badge that flips amber → red as the deadline approaches.
Acknowledgement72 hoursCreated-at + 72h badge on every row. Email auto-sent on file.
Full response30 calendar daysAuto-expiry → EXPIRED state at +30d. Escalates to OWNER role for triage.
Complex extension+60 days (Art. 12(3))Operator manually extends with documented reason. Customer notified.
WARNING
The 72-hour window is for acknowledgement, not full resolution. Send an email confirming receipt and estimated completion within 72 hours. Aforo does this automatically when the request is filed via the portal; manual filings require the operator to send the acknowledgement.
Article 7 requires the controller to demonstrate that the data subject consented to processing. Aforo\'s consent ledger is an append-only PostgreSQL table per tenant (consent_records) that captures every grant and withdrawal with full provenance.
What gets captured on every consent event
consent_record.json
{
"consent_id": "cons_8a3f...",
"tenant_id": "smartai",
"end_customer_id": "cust_acme_alice",
"consent_type": "marketing_emails",
"state": "GRANTED", // GRANTED or WITHDRAWN
"source": "PORTAL", // SIGNUP, PORTAL, COOKIE_BANNER, API, IMPORT, OPERATOR
"granted_at": "2026-05-25T14:32:00Z", // populated when state=GRANTED
"withdrawn_at": null, // populated when state=WITHDRAWN
"ip_address": "203.0.113.42", // captured for evidentiary value
"user_agent": "Mozilla/5.0 ...",
"policy_version": "v3.1.2", // which terms were in force at consent time
"created_at": "2026-05-25T14:32:00Z"
}
Three consent types Aforo seeds out of the box
TypeWhat it gatesDefault at signup
terms_of_serviceAccount creation itself — required to use the platformRequired checkbox (Article 7(2) — distinguishable from other consents)
marketing_emailsPromotional product newsletters, feature announcements, upsell campaignsOpt-in (unchecked by default per Recital 32)
analytics_trackingBehavioral analytics for product improvementOpt-in (unchecked by default)
INFO
Recital 32 strictness. Pre-checked boxes do not constitute consent. Aforo\'s signup form enforces this: the marketing + analytics checkboxes ship unchecked. The terms-of-service checkbox is required (account creation fails without it) but cannot be bundled with marketing consent.
Withdrawing consent
Article 7(3) requires consent withdrawal to be as easy as giving it. Customers withdraw any consent from the storefront portal\'s /privacy page. Withdrawal does NOT update the existing row — it appends a new state: WITHDRAWN row. The ledger is append-only so the full grant/withdraw timeline survives audits.
When an erasure request enters its irreversible window (after the 30-day grace expires), Aforo cascades the erasure across every system that holds the customer's data. Each system purges its own copy independently and idempotently:
Team & supportMembers, audit history, support tickets, community profiles, provisioned usersDeleted
Subscriptions & keysSubscriptions, API keys, key bindings, coupon redemptionsDeleted
InvoicesCustomer name + email on invoices replaced with [ERASED]Anonymized, not deleted — tax law (7+ yr IRS / EU VAT) requires keeping the financial record; the Article 17(3)(b) carve-out applies
Customer recordCustomer profile and its teams, members, apps, agents, and data exportsDeleted
AnalyticsUsage and cost-attribution events keyed to the customerDeleted
AI usageStored prompts and completionsDeleted
WARNING
Invoices are anonymized, not deleted. Tax law (IRS 26 CFR 1.6001-1 — 7-year retention; EU VAT Directive — 5-10 year retention; HMRC — 6 years) requires the financial record to survive. Aforo replaces customer-identifying fields with the literal string [ERASED] but preserves customer_id, tenant_id, line items, amount, currency, tax, dates. This satisfies Article 17(3)(b) (compliance with a legal obligation) — a documented carve-out.